Researchers from the Technion – Israel Institute of Technology and Tel Aviv University, in collaboration with the Israel National Cyber Directorate, have managed to take control of a Siemens PLC, considered to be one of the safest controllers in the world.
The attack was led by Professor Eli Biham, the head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion, Dr. Sara Bitan from the Technion’s Faculty of Computer Science, and Professor Avishai Wool of the School of Electrical Engineering at Tel Aviv University, together with students Aviad Carmel, Alon Dankner, and Uriel Malin.
As part of the attack, the researchers analyzed and identified the code elements of the Siemens proprietary cryptographic protocol, and on the basis of their analysis, created a fake engineering station, an alternative to Siemens’ official station.
The fake station was able to turn the controller on and off, download rogue command logic according to their wishes, and change the operation and source codes. The researchers were able to operate undetected by engineers operating the controller.
The attack was on Siemens S7 Simatic systems, a series of programmable logic controllers. PLCs are currently used in critical infrastructures such as power stations, production lines, lighting systems, vehicles, aircraft, and smart homes. They allow systems to automatically adapt to environmental conditions and changes.
The new generations of the Simatic S7 family are considered safer and more protected than their predecessors, mainly due to improvements in the quality of encryption. Therefore, attacks on them constitute a complex challenge that requires extensive knowledge in various fields.
Since Siemens does not publish the protocol of operation of the controllers, the researchers recreated the protocol through reverse engineering; this detective work took many months.
After the protocol was reconstructed, the researchers went on to map the security and encryption systems of the controller and detect weaknesses in these systems. Indeed, they were able to determine common keys with the controller and through them impersonate a legitimate engineering station from the point of view of the controller.
With their findings in hand, the researchers were able to load the controller malware despite the cryptographic security. This required a deep knowledge of systems understanding, reverse-engineering capabilities, communications protocol analysis, and cryptographic analysis.
The researchers alerted Siemens to their findings so they could respond accordingly. But the attack underscores the need for manufacturers and customers to invest in securing industrial control systems. As the researchers found, securing industrial control systems is a more difficult and challenging task than securing information systems.